Multiple vulnerabilities in Achievo

2012-11-1400:00:00

High-Tech Bridge

www.htbridge.com

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

73.8%

JSON

High-Tech Bridge Security Research Lab discovered two vulnerabilities in Achievo, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.

SQL Injection vulnerability in Achievo: CVE-2012-5865
The vulnerability was discovered in the “dispatch.php” script while handling the “activityid” HTTP GET parameter. A remote authenticated attacker can inject and execute arbitrary SQL commands in application’s database. Successful exploitation of this vulnerability requires that an attacker is logged-in into application (registration is closed by default).
The following PoC (Proof of Concept) code outputs version of the MySQL server:
http://[host]/dispatch.php?atknodetype=project.activity&atkaction=stats&acti vityid=0%20UNION%20SELECT%201,version%28%29,3,4
Registration is closed by default.
Cross-Site Scripting (XSS) vulnerability in Achievo: CVE-2012-5866
Input sanitation error was found in the “include.php” script when handling the “field” HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in user’s browser in context of a vulnerable website.
The following PoC (Proof of Concept) outputs user’s cookie:
http://[host]/include.php?file=atk/popups/colorpicker.inc&field=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E